On March 1, 2017, the New York State Department of Financial Services' (DFS) mandatory cybersecurity requirements for financial services entities became effective, with implementation to occur within 180 days (August 28, 2017).
The purpose of the regulation is to require organizations to establish and maintain a “risk-based, holistic, and robust security program” that is designed to protect consumers’ private data.
Below, learn more about the requirements and see what solutions from Rapid7 can help you get compliant.
Broadly, the NYDFS cybersecurity requirements cover any organization operating under or required to “operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities.” This includes:
It EXEMPTS companies with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets.
Firstly, and most significantly, this NYDFS cybersecurity regulation requires covered entities to file an annual certification of compliance with the regulation. These Certifications of Compliance will commence February 15, 2018.
According to the regulation, in order for organizations to reach the goals of the compliance, organizations must implement the following:
Establish a cybersecurity program based on periodic risk assessments and designed to identify and assess risks; protect information systems and nonpublic information; detect, respond to, and recover from cyber events; and fulfill all reporting obligations.
Create and maintain written policies and procedures for the protection of information systems and nonpublic information based on the company’s risk assessment.
Designate a CISO to oversee and implement the cybersecurity program. The CISO may be employed by the regulated entity, an affiliate, or a third-party service provider.
The cybersecurity program must include continuous monitoring or annual penetration testing and bi-annual vulnerability assessments.
Maintain systems designed to recover material financial transactions following an event and audit trails to detect and respond to cybersecurity events.
Implement secure development practices and procedures for evaluating and testing the security of applications.
Conduct bi-annual risk assessments that consider threats, particular risks to the entity, and an examination of existing controls in the context of identified risk.
Utilize qualified cybersecurity personnel or an “Affiliate or a Third-Party Service Provider” sufficient to manage the organization’s risks and to perform or oversee the performance of the core cybersecurity functions.
Establish a written incident response plan for responding to and recovering from cybersecurity events.